Login Sign Up

CVE-2025-3188

7.3 HIGH
SQL Injection

📋 TL;DR

This critical SQL injection vulnerability in PHPGurukul e-Diary Management System 1.0 allows attackers to manipulate database queries through the Category parameter in /add-notes.php. Attackers can potentially read, modify, or delete sensitive data from the database. All users running the vulnerable version are affected.

💻 Affected Systems

Products:
  • PHPGurukul e-Diary Management System
Versions: 1.0
Operating Systems: Any OS running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: Requires PHP environment with database backend (typically MySQL/MariaDB).

📦 What is this software?

E Diary Management System by Phpgurukul

View all CVEs affecting E Diary Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data manipulation, or complete system takeover via SQL injection to remote code execution.

🟠

Likely Case

Unauthorized access to sensitive student/teacher data, grade manipulation, or system disruption.

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting damage to non-critical data.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit available on GitHub, SQL injection via Category parameter requires minimal technical skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://phpgurukul.com/

Restart Required: No

Instructions:

No official patch available. Consider migrating to alternative software or implementing workarounds.

🔧 Temporary Workarounds

Input Validation and Parameterized Queries

all

Modify /add-notes.php to use prepared statements and validate Category parameter

Replace SQL queries with prepared statements using PDO or mysqli

Web Application Firewall (WAF)

all

Deploy WAF rules to block SQL injection patterns

Configure WAF to block requests containing SQL keywords in Category parameter

🧯 If You Can't Patch

  • Disable or restrict access to /add-notes.php endpoint
  • Implement network segmentation and restrict database access to application server only

🔍 How to Verify

Check if Vulnerable:

Test /add-notes.php with SQL injection payloads in Category parameter (e.g., Category=1' OR '1'='1)

Check Version:

Check system documentation or admin panel for version information

Verify Fix Applied:

Verify prepared statements are implemented and test with SQL injection payloads returns error or no data leakage

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL errors in application logs
  • Multiple failed login attempts following SQL injection patterns
  • Unexpected database queries from web server

Network Indicators:

  • HTTP POST requests to /add-notes.php with SQL keywords in parameters
  • Unusual database traffic patterns from web server

SIEM Query:

source="web_logs" AND uri="/add-notes.php" AND (param="Category" AND value MATCHES "(?i)(union|select|insert|update|delete|drop|--|#|/*)")

📊 Metadata

CVE ID: CVE-2025-3188
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-74
EPSS Score: 0.2% exploit probability (42.4th percentile)
Published: April 4, 2025
Last Updated: April 8, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-3188, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)